Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

'SocGholish' Attack Framework Powers Surge in Drive-By Attacks

Menlo Labs research team says framework's social engineering toolkit helps criminals impersonate software updates.

Drive-by download attacks have been on the uptick over the past two months, thanks to a highly active attack framework that security researchers have dubbed "SocGholish" for its ample use of social engineering tools and techniques. SocGholish impersonates legitimate browser, Flash, and Microsoft Teams updates to trick users into executing malicious ZIP files that are automatically placed on their machines when a visit to an infected compromise triggers a drive-by download. 

SocGholish attackers host and serve the malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate website.  

Related Content:

CISA: SolarWinds Not the Only Initial Attack Vector in Massive Breach

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

"Because the file is hosted in an iframe within a legitimate site, users are tricked into thinking the file is from a legitimate source and encouraged to download and execute the file," said Krishnan Subramanian, security researcher at Menlo Security, in a research note today.

This iFrame technique helps attackers end around basic web filtering based on website categories since they are delivered from legitimate categories.

The drive-by download mechanisms used by the SocGholish framework don't involve browser exploitations or exploit kits to deliver payloads. Instead, it uses three main techniques. The first is using watering hole attacks by planting iFrames on sites with relatively high Alexa rankings and then sending users through a number of redirects routed through common cloud hosting services until reaching a malicious ZIP file served from an Amazon S3 account.

The second technique is compromising sites hosted on content management systems like WordPress to embed iFrames that use JavaScript blobs to trigger the download.

"Since the entire payload is constructed within the endpoint, this method is commonly used to smuggle payloads and bypass legacy network proxies and sandboxes," Subramanian wrote.

The third SocGholish technique is leveraging sites.google.com and JavaScript to dynamically create a download link element pointed to a ZIP file hosted on a legitimate Google Drive link, and then simulating a click to trigger the download. 

Subramanian explained that SocGholish is used to gain initial access to endpoints; his team has observed it being used to distribute the Dridex banking Trojan and WastedLocker ransomware, among others. 

Drive-by downloads have been a thorn in security defenders' sides for many years and continues to be a prevalent technique for gaining a foothold into endpoint systems. The SocGholish report comes just a week after Microsoft researchers detailed the rampant use of drive-by downloads by the Adrozek malware to fuel an attack campaign, which ran from May through September 2020 and used 159 unique domains to distribute hundreds of thousands of unique malware samples. 

While major browser developers have taken steps to thwart these techniques, attackers keep innovating. In the case of SocGholish, the framework gets around security features in Chrome and Firefox that automatically block downloads from sandboxed iFrames by injecting iFrames without the sandbox attribute specified.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.